Shadow AI vs. Shadow IT: The Role of SaaS Risk Assessments and Zero Trust for Risk Mitigation

Article Summary:
As Shadow AI emerges from the broader trend of Shadow IT, organizations face new layers of risk tied to unsanctioned tools, especially generative AI and browser extensions. This article explores how SaaS Risk Assessments and Zero Trust Architecture (ZTA) work in tandem to mitigate growing threats stemming from both.

Shadow AI Risk Key Insights:

• Shadow AI is harder to detect than Shadow IT, especially since it’s often embedded in browser extensions or AI-enabled SaaS tools, making it a stealthier risk vector.
• Shadow IT remains widespread — most large firms vastly underestimate the number of apps in use by employees, which leads to blind spots in compliance and security.
• Security and compliance risks are escalating as employees increasingly input sensitive data into personal GenAI tools, leading to potential data leakage and regulatory violations.
• SaaS Risk Assessments help uncover unauthorized apps and AI tools by identifying misconfigurations, excessive permissions, and shadow usage patterns.
• Zero Trust Architecture enforces continuous verification and least-privilege access, enabling organizations to proactively secure SaaS and AI use regardless of device or location.

In 2025, the lines between Shadow IT and Shadow AI are blurring — and security leaders are scrambling to keep up. While the term “shadow” refers to the implementation of any technology resources by employees without the knowledge or governance of the IT team, Shadow IT and Shadow AI are different, albeit related ideas.

So, how are they different?

More importantly, what are their risks?

And how can your organization mitigate these risks?

Read on to discover the answers!

What is Shadow IT?

Gartner defines Shadow IT includes any and all “IT devices, software and services outside the ownership or control of IT organizations.”  Thus, any IT resources that employees download, install, and use outside the IT team’s purview is Shadow IT. These may include:

• Hardware like desktop or laptop computers
• Mobile devices like tablets or smartphones that don’t comply with the company’s BYOD (bring your own device) policies
• Software applications, both locally downloaded (on-prem) or cloud-based (SaaS)
• Unapproved browser extensions
• Off-the-shelf or open-source software
• Other cloud-based services, such as productivity tools, messaging apps, storage solutions, databases, virtual servers, PaaS platforms, or networking services
• Undocumented APIs
• Custom configurations and integrations
• Personal accounts used for work purposes
• Signing up for free trials

How common in Shadow IT?

Some experts estimate that 85-90% of SaaS today is Shadow SaaS, meaning a majority of SaaS products are invisible to IT teams. And in one 2023 survey of small and midsize businesses (SMBs) by Capterra, 57% of organizations reported that Shadow IT existed in their businesses. That said, Shadow IT is also prevalent in large enterprises. According to this report, the average big firm believes that its employees use only 37 apps. The reality is that they actually use 625 apps. That’s almost 17X more apps that IT doesn’t know about![LW1]

Check out our 2025 AI Compliance and  Browser Extension Risk Report: https://spin.ai/ai-compliance-and-browser-extension-risks-in-2025/ 

Moreover, Shadow IT will continue to grow in the coming years. Gartner predicts that by 2027, 75% of employees will “acquire, modify or create technology outside IT’s visibility – up from 41% in 2022”.

This extensive shadow IT usage among employees can have both positive and negative consequences for your organization.

Let’s explore the positives first.

Shadow IT allows users to quickly access the tools they need for work without having to go through complicated and lengthy IT approval processes. Moreover, these apps are often easier to use than approved apps and enable workers to better navigate work-related complexities.

In fact, a full 98% of SMBs report that Shadow IT generates long-term positive impacts. Furthermore:

• 51% said that it helped employees to save time
• 54% said that it increased employee satisfaction
• 42% said that it reduced the IT team’s workload
• 80% said that it had a positive financial impact on the business.

And now, let’s talk about the negatives of Shadow IT.

Security Challenges

The Capterra survey that enumerated the benefits of Shadow IT also found that it created a major problem for SMBs. 76% of them said that it exposed their business to cybersecurity threats. When IT teams don’t know about unauthorized tools, any vulnerabilities and misconfigurations in those tools remain undetected. Hackers and other malicious adversaries can exploit these weaknesses to gain unauthorized access to the organization’s systems, or to steal or compromise its data. Considering that the average data breach cost has now reached $4.88 million, even a single breach can be very costly for an organization.

Compliance Issues

Unauthorized tools often don’t meet the strict data security and privacy requirements mandated by laws and standards like GDPR, ISO 27001, and HIPAA. This may increase the risk of non-compliance, which could create numerous problems, including hefty regulatory penalties, legal problems, and reputational harm.

What is Shadow AI?

IBM defines Shadow AI as the “the unsanctioned use of any AI tool or application by employees or end users without the formal approval or oversight of the IT department.” Examples include:

• GenAI tools like ChatGPT or Google Gemini
• Marketing automation tools
• Data visualization tools
• AI analytics platforms
• AI image generators
• HR tools
• ML models for data analysis

Shadow AI also includes AI capabilities embedded within unknown SaaS tools and environments, as well as browser extensions that may be transmitting data to an LLM without the user’s knowlegeknowledge. For example, one employee may download an AI-enabled productivity platform to automate some tasks like content creation or note-taking. Another may download a data analysis tool that generates useful insights and visualizations.

While these tools – even their free versions – can be useful in many ways, they also pose numerous risks for organizations.

Risk of Data Breaches and Losses

When using use AI tools, employees often provide the tools with a lot of sensitive company data. The Q2 2024 AI Adoption and Risk Report by Cyberhaven Labs reveals that the amount of corporate data workers put into AI tools increased by 485% in a single year (March 2023 to March 2024). Moreover, the amount of sensitive data going into these tools has also increased: from 10.7% in March 2023 to 27.4% just a year later.

AI systems assimilate this information to self-learn and improve their capabilities. The downside is that this data may be shared with external parties –- either inadvertently or on purpose. This puts the data’s confidentiality and integrity at risk.

Another problem is that large quantities of sensitive corporate information is going into non-corporate or personal accounts. For example, a whopping 73.8% of employees use ChatGPT, a this popular GenAI tool with their personal accounts. These unauthorized or unknown “shadow” accounts lack the security and privacy controls of paid enterprise accounts, once again increasing the risk of data leaks and breaches.

Traditional Data Protection Mechanisms Provide Insufficient Security

Most traditional data protection tools use static rules to identify and protect data. In dynamic AI environments where data is created and consumed at very high volumes and velocities, these rules can become outdated very quickly, thus weakening security and increasing the potential for breaches. Further, issues with detection or configuration can mean valuable corporate data may be slipping through the cracks and leaving your environment via risky apps and extensions, even with DLP tools in-place.

Traditional security measures also cannot identify or mitigate emerging threats targeting AI environments, such as AI-powered malware, automated phishing, and deepfakes. Adding unauthorized tools to the mix only expands the attack surface and increases the organization’s susceptibility to damaging attacks and breaches.

Compliance Concerns

Shadow AI – like Shadow IT – also creates compliance risks for organizations. If IT doesn’t know which AI tools are being used, it’s impossible for them to control and govern the data that’s going into those tools. If they cannot control the data, they cannot implement measures to protect user privacy or ensure compliance with privacy regulations.

Model Manipulation

Most AI models are vulnerable to data manipulation and poisoning. Cyberattackers can manipulate models to generate incorrect output or to spread misinformation. They can also poison the training data to spread malware, implement phishing attacks, and even execute wide-scale supply chain attacks. These risks are particularly high for Shadow AI tools. Since these tools are unsanctioned or unknown by the IT department, it’s impossible to ensure that the data is protected and prevent its manipulation and poisoning.

Shadow IT vs. Shadow AI

A few years ago, AI was still a niche technology that only large companies with deep pockets could access. Today, a large number of AI tools are now readily available for use not just by all kinds of organizations, but the average end user. Unfortunately, the “democratization” of AI has also led to the emergence of Shadow AI from the broader trend of Shadow IT. Moreover, Shadow AI often rides on top of Shadow IT, thus expanding the risk landscape and making threat containment an even bigger challenge than before.

These overlaps notwithstanding, Shadow IT and Shadow AI are two distinct concepts. The key differences are enumerated below:

Factor	Shadow IT	Shadow AI
Tool Types	SaaS apps, unmanaged devices, cloud services, and moreClick here for a fuller list	Generative AI chatbots, LLMs, code-assist tools, and moreClick here for a fuller list
Threat Detectability	Somewhat visible via CASB (Cloud Access Security Broker) or DLP (Data Leak Prevention) tools	Often browser-based and therefore harder to trace and mitigate
Controlled via	SaaS governance programs with detailed policies, procedures, and practices to maintain asset visibility, control, and security	Requires a comprehensive AI governance program that combines SaaS governance with AI-specific Acceptable Use Policies (AUPs), procedures, and practices to monitor, control, and optimize: • AI model behaviors and output • Model use (ethical and fair) • Use of training data (maintain data quality, accuracy, privacy, security, and use data ethically)
Risk Layer	Mostly remains at the app-level	Not limited to the app level; also present at the algorithm-level

2 Strategies to Combat Shadow Threats

Here are two strategies to combat the risks of Shadow IT and Shadow AI.:

#1. SaaS Risk Assessments

A SaaS Risk Assessment is the first and most important step to mitigate the risks of Shadow IT and Shadow AI. This is because it allows enterprise IT teams to gain visibility into the entire SaaS environment. It involves scanning the environment to identify issues like misconfigurations, excessive permissions, regulatory risks, and unauthorized or high-risk data sharing.

In addition, it includes all the following activities:

• Vendor evaluations to assess their trustworthiness and security-readiness
• Assessment of data residency to determine where data resides and in what form
• Evaluations of AI integrations to clarify the risks of Shadow AI.
• Review of SaaS apps usage visibility to determine app impact on operations and productivity, and to inform financial decisions about updates, upgrades, training, and security

The findings generated by the assessment can help IT staff to:

• Understand how risky their SaaS applications and browser extensions are
• Clarify what makes a particular application high-risk
• Identify the potential vulnerabilities within each app along with:
  • The probability of exploitation of those vulnerabilities
  • The potential impact of exploitation
• Identify which applications have access to sensitive or business-critical data

After identifying SaaS risks and vulnerabilities, IT teams can categorize and prioritize them, and implement appropriate risk mitigation strategies and controls. For example, they can implement RBAC to control resource access and prevent unauthorized or malicious access.

Organizations can also use the risk assessment to understand and integrate Shadow AI risk into SaaS risk workflows. The easiest way to do this is with a Shadow SaaS/Shadow AI discovery solution. We recommend SpinOne, a comprehensive security platform from Spin.AI – the leaders in AI-enabled SaaS security.

SpinOne includes a SaaS Security Posture Management (SSPM) module that automatically inventories the entire SaaS environment, including all unsanctioned apps and browser extensions. It also performs automated risk assessments within a few seconds so IT can quickly review or block potential risks before they can cause any harm.

#2. Zero Trust Architecture

A Zero Trust Architecture (ZTA) is also foundational to combat the risks inherent in Shadow IT and Shadow AI.

In the traditional security approach, everything inside the organization’s network perimeter is trusted and considered safe. ZTA is the complete reversal of this old-fashioned “castle-and-moat” approach.

ZTA is based on three vital principles:

• Never trust, always verify: Any device, user, or application is considered risky and therefore explicitly authenticated before they are granted access to a resource.
• Assume breaches: ZTA considers breaches as inevitable and encourages organizations to proactively prepare rather than reactively respond.
• Least privileged access: Users get only the minimum level of access they need for their specific role – no more and no less.

By rethinking security in these terms, organizations can minimize their attack surface, detect and block threats early, contain breaches, and minimize data losses.

For truly effective protection from shadow threats, ZTA must:

• Focus on securing SaaS and AI apps (and browser extensions), not only devices and users
• Assess the risk of all apps by evaluating their permissions and behaviors before allowing access
• Enforce compliance by only allowing tools that meet security and regulatory standards
• Continuously monitor, assess, and reassess all apps and extensions to ensure that they remain safe to use

Conclusion

Shadow IT is a growing threat for organizations and Shadow AI is rapidly becoming its most dangerous form. And the key to mitigating these threats is to adopt a two-pronged security approach. This approach should combine a SaaS Risk Assessment with ZTA.

By regularly auditing your IT environment and adopting a proactive zero-trust security approach, you can control the sprawl of unsanctioned SaaS and AI. More importantly, you can strengthen the organization’s security posture and cyber-resilience.Minimize shadow threats, reduce security incidents, and improve compliance with SpinOne. Click here to know more.